18f48afca40a3d5cc4f63805a209dbd67793dd6e463881afbe89bbe081619c1b

General

Target

15d2828127b98c02fb86581cbe96f94c.exe
Size

167KB
MD5

15d2828127b98c02fb86581cbe96f94c
SHA1

316458f6f639fed859290ca77beb6fd66938fb4a
SHA256

18f48afca40a3d5cc4f63805a209dbd67793dd6e463881afbe89bbe081619c1b
SHA512

1a0cf978e218cd2f1bcd69454e5491e73f14802cbec9c5df2b3a61464457f061975dcc14221b35cf60150801bd2a5ebaee49589544e963746dab26c7cc154ead
SSDEEP

3072:t4tWMJJh6fryYP/Aarn7JenBUrWgxHK5tacrbKtHBC0lZyuT:tcWMJJhqryYP/Aarn7JEBUxHK5gcrAH3

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	15d2828127b98c02fb86581cbe96f94c.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	autorw.exe
4836	installedrw.exe
3752	atruiwang.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\installedrw.exe = "C:\\TDDownload\\atruiwang\\installedrw.exe"	installedrw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atruiwang.exe = "C:\\TDDownload\\atruiwang\\atruiwang.exe"	atruiwang.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\atruiwang	15d2828127b98c02fb86581cbe96f94c.exe
File created	C:\Program Files (x86)\atruiwang\__tmp_rar_sfx_access_check_240599687	15d2828127b98c02fb86581cbe96f94c.exe
File created	C:\Program Files (x86)\atruiwang\autorw.exe	15d2828127b98c02fb86581cbe96f94c.exe
File opened for modification	C:\Program Files (x86)\atruiwang\autorw.exe	15d2828127b98c02fb86581cbe96f94c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1704	1628	15d2828127b98c02fb86581cbe96f94c.exe	25
PID 1628 wrote to memory of 1704	1628	15d2828127b98c02fb86581cbe96f94c.exe	25
PID 1628 wrote to memory of 1704	1628	15d2828127b98c02fb86581cbe96f94c.exe	25
PID 1704 wrote to memory of 4836	1704	autorw.exe	26
PID 1704 wrote to memory of 4836	1704	autorw.exe	26
PID 1704 wrote to memory of 4836	1704	autorw.exe	26
PID 1704 wrote to memory of 3752	1704	autorw.exe	105
PID 1704 wrote to memory of 3752	1704	autorw.exe	105
PID 1704 wrote to memory of 3752	1704	autorw.exe	105

C:\Users\Admin\AppData\Local\Temp\15d2828127b98c02fb86581cbe96f94c.exe
"C:\Users\Admin\AppData\Local\Temp\15d2828127b98c02fb86581cbe96f94c.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Program Files (x86)\atruiwang\autorw.exe
  "C:\Program Files (x86)\atruiwang\autorw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\TDDownload\atruiwang\installedrw.exe
    C:\TDDownload\atruiwang\installedrw.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4836
- - C:\TDDownload\atruiwang\atruiwang.exe
    C:\TDDownload\atruiwang\atruiwang.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\atruiwang\autorw.exe

Filesize
230KB

MD5
57067b3c73bed3d26f4b670503692b56

SHA1
7452549adfb255caa3cbb422569cba7c956371a9

SHA256
6ed2cb37704ad5c54d99e13c4d6f73b3e1c55d2ac3f69004175e2518f75913d4

SHA512
fc421b0851855155fd4c51ee8e58e4fd419a7c2c27e749da9e0960634521d4c7f81ce1c3993323e41c5fae3e7bf71f16d6318f0ddfef7ecbb0915b7d8eddfb33

Download Submit
C:\TDDownload\atruiwang\atruiwang.exe

Filesize
89KB

MD5
eb5f7eceb68cc1c3b2f46743cedc9dc5

SHA1
47f3f566a3056ba420bc005b24901d86d6e886f9

SHA256
bb3f66c546b096a89fe8032153657e0084289881f55b1055358be6fdb1a4e7c3

SHA512
d04668d573ed8179d202d07120d6f0e600ea8d291d340c75024695b8a1447f844e897848018bc7b243978dca05bee8f5eae14142f82a299fc7e7e3b249809a2f

Download Submit
C:\TDDownload\atruiwang\atruiwang.exe

Filesize
85KB

MD5
143f24d1db360f9e4ae426af4c087d8a

SHA1
a5ffa30dcb95e48fcf05b29097569d0b972a2909

SHA256
91c1911a814b78a0cad8a5d2d32aa950f8b0246ae2054a51c79ebff834e48ff3

SHA512
e917140124b56fba3783913c65b80e9d6b3ebb35e65fd11a832ea7aaf4bb1a61647a8178b7bede23a002dd0d1bf90405d68bc1365cac3203cda98d1b01b68d22

Download Submit
C:\TDDownload\atruiwang\installedrw.exe

Filesize
36KB

MD5
056c666703fd43f3bd7f00bbeba9e0e2

SHA1
97b3754216d51809bb5caef8ed2571a5e0c2878a

SHA256
c5b941921abdfd96776da6ef5621b15f8f199c742f4d69723d6c30e26d44da1b

SHA512
751861bf41224f6af927496ada481480065bb04ae923962909156a5b6cf0d3ad3cabfa81460374732844cbb32eb4b4241835998457cb012c2e933d779eac5122

Download Submit
memory/1704-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1704-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3752-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-29-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-35-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-41-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3752-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4836-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4836-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads